Sorry if this has already been answered, but searching for this is
returning piles of LVL-related posts.
We recently discovered that our app's apk is being unpacked, modified,
then resigned and re-distributed without our approval. What's the
proper way of checking for a modified apk signature?
Currently I have something in place where I get the PackageInfo's
signatures (e.g. getPackageManager().getPackageInfo) and feed them
into X509Certificate which i use to check the issuer DN.
This will at least tell me that the DN changed, but that's obviously
easily to get around.
What's the proper way to go about checking the package signature with
a remote service?
Or am I going about this all wrong? Perhaps checksums are the better
way to go?
Thank You,
-Chad
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
No comments:
Post a Comment